Risk Management Reports

September, 1997Volume 24, No. 9

GARP

John Irving's novel, The World According to Garp, describes
a tumultuous world where the unexpected occurs and the characters are unprepared.
It has nothing to do with the newest "GARP," a set of suggested
"generally accepted risk principles" prepared by the international
accounting firm of Coopers & Lybrand and published last year. These
principles are designed to prepare organizations, particularly financial
institutions, to control the unexpected and survive.

In the late 1970s and early '80s, while working as a management consultant
with Risk Planning Group, several of us developed a set of general risk
management "principles" against which we could benchmark client
programs. These preliminary "principles" met with approval and
were published in 1988 in "The Risk Management Audit," in Risk
Management Reports, Vol. 15, No. 2. The fifteen "Guiding Principles
for a Sound Risk Management Process" were later revised and updated
in 1994 by Tillinghast-Towers Perrin, with which Risk Planning Group merged
in 1985. Each principle was accompanied by one to four "risk strategies."
These strategies,in turn, had numerous "risk tactics," tools
and techniques employed successfully by different organizations. Of course,
none of this had the imprint of "accepted wisdom." It was only
a suggested starting point.

Now Coopers & Lybrand has attempted a more ambitious set of standards.
It has responded to the series of notable financial market catastrophes
(Barings, Daiwa, Bankers Trust and Metallgeschellshaft, among others) that
reduced confidence in banks, and to the resulting new regulations. Using
both internal staff and a blue ribbon external review board, chaired by
Sir Peter Middleton, the Coopers & Lybrand GARP is a major addition
to the risk management literature.

Sir Peter concludes in his Foreword, "The cost of risk management
is not an item of discretionary expenditure. If an organization is to be
properly managed, spending on risk management has to be driven by the risks
taken on, rather than by the profits or loss achieved by the business unit,
or by the politically or economically sustainable overhead level. A business
line must treat the cost of risk management as the cost of doing business."
This is exactly the message of those preaching integrated, or holistic,
or strategic risk management these past few years. It is now embodied in
89 Principles.

A cynic might argue that 89 are a bit of overkill. Moses only needed
ten, and we managed with 15 in 1988. On the other hand, Martin Luther rambled
on to 95, so perhaps the 89 of GARP are reasonable.

GARP suggests four "fundamental themes:" (1) The ultimate
responsibility for risk management must be with the board . . . ., (2)
The board and executive management must recognize a wide variety of risk
types . . . ., (3) Support and control functions . . . need to be an integral
part of the overall risk management framework, and (4) Risk management
objectives and policies must be a key driver of the overall business strategy.
These themes are not new. Royal Dutch Shell incorporated many of them into
its strategies over a decade ago. Bankers Trust uses the RAROC (risk adjusted
return on capital) model for its operations. "Value at Risk"
(VAR) is employed by many financial institutions. Yet the GARP Principles
incorporate much recent research and practice.

The first twelve Principles address risk management strategy. They include
the ultimate responsibility of the board, the need for an "integrated
framework of responsibilities and functions" for risk management,
the delegation of board responsibility to the executive committee, and
the need for independence of support and control functions.

Principles 13-19 call for a "dedicated risk management function"
to address first credit, market and liquidity risks, and then other organizational
risks. This function "must be independent of the business units and
trading areas." To me, this means that risk management should not
report to finance, human relations, or administration, but, as GARP
suggests, directly to the executive committee. GARP suggests a "risk
management group," led by the risk management function, composed of
representatives from strategic planning, human resources, information technology,
legal, compliance and internal audit. Oddly, finance is missing. The roles
of the specific risk management function are risk monitoring, evaluating
and measuring. Separate risk managers should be appointed to cover each
business unit. The Principles correctly insist that "the responsibility
for a business unit's risks remains with the head of the business unit."

Principles 20-55, on risk measurement, reporting and control,
aim specifically at market, credit and liquidity risks, more typical of
financial institutions. For example, one Principle suggests that firms
"should mark-to-market daily (my emphasis) all trading positions."
Probability-based measures, such as VAR, should be used to aggregate risks.
Limits should be set for various types of risk, such as capital at risk
(No. 41), market risk (No. 42), and credit risk (No. 43). Notably absent
are Principles that apply to "limits" on operational, legal,
regulatory, reputation and human resources risks. These are identified
early in GARP but unfortunately do not receive later attention. They are
included in the framework but seem to be dismissed thereafter. I acknowledge
that market, credit and liquidity risks are more important for financial
institutions, but other risks, admittedly less susceptible to concrete
measurement, can be significant. Appendix 1 defines some of these risk
terms. "Operational risk" includes transaction, operational control
and systems risks. It also mentions "Business/Event risk," incorporating
currency convertibility, shift in credit rating, loss of reputation, change
in taxation, and legal, disaster and regulatory concerns, but this term
does not appear in the text. I'd rather see currency and credit rating
risks combined in the credit and market area, and consolidate the rest
under the heading "operational." I prefer my simpler four risk
categories: financial/market, regulatory/political, legal, and operational.

The final Principles (79-89) address risk management systems to generate
and support needed decision-making information.

As GARP concludes, "the principles . . . have an impact on all
levels of management within a firm, and collectively provide an integrated
framework for risk management and control that links into business strategy
and policy, the firm's culture and the operation of its business activities
at a procedural level." GARP emphasizes the importance of covering
all risks facing the organization, from the more critical market,
credit and liquidity risks, to operational, legal, regulatory, reputation
and human resources risks.

GARP is a significant contribution to the development of the risk management
discipline.

I spend my time at the great work of preserving. Memory, as well as
fruit, is being saved from the corruption of the clocks.

Salmon Rushdie, Midnight's Children, Penguin Books, New
York, 1980

Risk Strategy: Start-Up

A participant in the RiskWeb discussion group on the Internet
recently asked how he could start a "risk strategy" in his organization.
It's a challenging question. Where do we begin? One way of gathering support
is to ask the CEO to create a new "risk strategy committee."
Its participants should include representatives, as suggested above in
the Coopers & Lybrand GARP, from legal, finance, human resources, strategic
planning, IT, compliance, internal audit, plus operating units. Within
six months this team should report to the CEO and the board on the major
risks facing the organization, the rewards they appear to generate,
how they are being controlled, what additional control measures might be
prudent, how these risks are communicated to appropriate stakeholders,
and, finally, how the organization plans to respond to a risk becoming
reality.

As a starter, the committee should ask the participants to describe
three major risks, ranging through financial/market, political/regulatory
and legal, to operational.

Out of the deliberations of this committee should come a new risk policy,
a structure for continuing risk assessment, responsibility for risk controls,
limits on risk and its financing, and a system for periodic monitoring
and reporting to the Board, senior management and other stakeholders.

Whatever approach is used, don't wait. Begin it now.

The medium of print is, indeed, almost inescapably linear - this
word and then this and then this; this line after that . . .,
whereas a great deal of our experience of life is decidedly not linear.
We think and perceive and intuit in buzzes and flashes and gestalts; we
act in a context of vertiginous simultaneity; we see and hear and smell
and touch and taste often in combination, whereas print is a particularly
anesthetic medium of art, the only one I know that appeals directly
to none of the physical senses.

John Barth, "The State of the Art," Wilson Quarterly,
Spring, 1996

Insurance Irrelevant?

Bill Kelly, J. P. Morgan's Managing Director for Risk Management,
has issued a clear and challenging call to the commercial insurance industry.
His speech, "Is Insurance Becoming Irrelevant?," given to a symposium
at Fairleigh Dickinson University, in New Jersey, in May this year, has
now been published in the August issue of Risk Management magazine.
The full text can also be found at www.rims.org/ifrima.

Bill and I have sometimes disagreed about the importance of a fully
integrated risk management function but we share completely his concern
about the relevance of the current non-life insurance market. He recites
the vast array of relatively trivial coverages now offered to financial
institutions. He criticizes the relentless shrinkage of the definition
of "dishonesty." Like the Cheshire Cat, the body of coverage
has disappeared, leaving only its mocking grin. Kelly asks, "Are we
again at a point (as in 1985-86) where insureds are deciding that traditionally
available insurance products simply don't serve their overall needs?"
He suggests a new "partnership" be created among insureds and
insurers in which risk is treated as a systemic problem, not separately.
He acknowledges the growing financial disparity between banks (the insureds)
and the non-life insurance industry. For example, in 1995, total US non-life
premiums were $359 billion, supported by surplus of about $230 billion.
The deposits of the top ten banks in the US alone totaled $787 billion
in 1997. That buyers are turning to capital markets and other risk financing
options should be no surprize.

Bill Kelly describes the growing reliance of banks on earnings derived
from other than physical plant. Yet "business interruption" insurance
remains concretely anchored to building insurance! Technology systems,
data, political infrastructure, and reputation all affect earning capability,
but insurance is unavailable to respond.

He asks: "Where should the
industry be focusing its creative energies, if it is not to be wedded to
the past, or consumed with redecorating old structures?" His answer:
"All of the fundamental changes in financial services and corporate
America suggest that a radical change in financial service insurance products
is called for." He argues, like British Petroleum (see RMR "Topsy
Turvy," July 1994), that insurance can be cost effective at the primary
level (BP defines this as less than $10 million), but isn't this the level
that larger organizations can easily and cost-effectively fund themselves?
Kelly proposes a new approach to a higher level of financing, initially
set at $1 billion, and now modified to $500 million excess of $100 million.
I suggest that this layer may, in the future, have greater participation
from capital markets than from traditional non-life insurers.
J. P. Morgan is also moving toward a new "architecture"
of risk management, addressing risks holistically: market/credit, revenue
volatility, expense variation, operating and capital, similar to the GARP
categories. Morgan has a "corporate risk management group," focusing
on financial risks, complemented by an "operating risk committee,"
in response to the new regulatory demand that financial institutions "identify
risk laterally across the organization." Kelly argues that different
risks still require different responses. I agree: separate treatment, depending
on specialty and counterparty availability, but a consolidated view of
all risks.

Bill Kelly does not propose answers for the insurance industry, but
his questions should stimulate immediate discussion.

You could already see that their great passion in life would be normality
and they would seek out the tiles roof, the small window, the locked door,
the clipped hedge, the wife who never farted, lacy pillows on the marital
bed.

Peter Carey, The Illywhacker, Faber & Faber, London, 1985

"Global Cooling"

I read much in the press about global warming and its effect
on weather patterns. Drought, storms, and floods are supposed to be increasing,
leading to horrendous financial effects. While sharing with a Canadian
friend some thoughts on both global weather and the move of ice hockey
teams south (my Hartford Whalers are now in Nashville, Tennessee), I received
from him the following email that points to an entirely different scenario.
Risk managers, take note!

I have hit upon a significant fact of geothermal physics. The recent
abundance of ice hockey rinks south of the border and as far down as Florida
and Texas, where there should be virtually no ice at any time, and certainly
none at this time of year, has resulted in the phenomenon called "global
cooling." In addition, condensation from all this ice ("hice"
a la Province de Quebec) has served to plug up those holes in the ozone
layer, thus intensifying the reversion to our sadly missed "old fashioned
winters."

Soon we will be able to dispense with artificial hice; we
will be able to play in the streets again, and if the masses return to
the national pastime, we will surely run out of rubber hockey pucks. Then
we will revert to the favorite missile of our youth ("ute" a
la Province de Quebec), the horse ball, or pomme de rue, which is a chunk
of second hand oatmeal, bound together with equine body fluids and distributed
abundantly on the streets by the docile beasts that pull the dairy and
bakery sleds.
They are the original and perfect hockey pucks. They take
a uniform bounce, they have good carry-through (momentum) and they will
hold together until some insensitive player slams one into the goal post
with a slap shot, at which time the pomme de rue will explode into many
pieces, some of which will go into the net causing the red light to go
on, and confusing the hell out of everyone present or watching on radio.
The goalie will yell, "Shit!", the referee will shout, "It's
a goal," and the opposing coach will scream 'Horseshit!," to
which everyone will have to agree; so they will give one point to each
team and face off at center ice.

Yes, my correspondent is from Ottawa, not Montreal.

Young males are really the most dangerous people on the planet, because
they easily respond to authority and they want approval. They are given
the rewards for getting into the hierarchical system, and they're given
to believe they're building heaven on earth. In most atrocities, there's
the big utopian dream - a cleaner society, or purer society. Young people
are very idealistic, and the powers prey on the young people by appealing
to their more idealistic nature.

Dr. Richard Millica, Director, Program in Refugee Trauma, Harvard
University, as quoted by Philip Gourevitch, "After the Genocide,"
The New Yorker, December 18, 1995

Egregious Error

In the August issue of Risk Management Reports, I
concluded with a short piece on apostrophes, written by David Warren and
his Uncle Pumblechook. I introduced Uncle P. by referring to "Dickens'
Great Expectations." I goofed. The possessive of "Dickens"
is properly "Dickens's."

It doesn't look pretty but that's the
way it should be. I should have known, since I am always reminded of that
rule by the address of The Economist in London: 25 St. James's Street.
My thanks to the readers who promptly (and gleefully) yanked my leash on
this one.

We are all at best marginalia in another era's fossil record.

James Hamilton-Patterson, The Great Deep, Henry Holt &
Co., New York, 1992